Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
8
Helpful
5
Replies

Two PIXs in failover mode, Primary PIX has failed!

PJWHITBY
Level 1
Level 1

‎12-14-2006 05:47 PM - edited ‎03-11-2019 02:09 AM

okay, heres the situation. I have two PIX-515E's in a failover scenario. Primary PIX has a UR license and the Secondary PIX has a FO license.

The Primary PIX has failed, it decided to hang and when manually rebooted it came up with the no config, just the default factory config.

Now the Secondary is now active and passing traffic everything is fine, the Primary is failed and is actually powered off.

The output from the show fail command on the active Secondary is

Failover On

Cable status: Other side powered off

Failover unit Secondary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 5 of 250 maximum

failover replication http

Last Failover at: 12:01:11 NZST Jan 1 1993

This host: Secondary - Active

Active time: 2700 (sec)

Interface inside (10.a.b.c): Normal (Waiting)

Interface outside (203.w.x.y): Normal (Waiting)

Interface dmz (10.g.h.i): Normal (Waiting)

Interface intf4 (0.0.0.0): Link Down (Waiting)

Interface intf5 (0.0.0.0): Link Down (Waiting)

Other host: Primary - Failed

Active time: 0 (sec)

Interface inside (10.a.b.d): Unknown (Waiting)

Interface outside (203.w.x.z): Unknown (Waiting)

Interface dmz (10.g.h.j): Unknown (Waiting)

Interface intf4 (0.0.0.0): Unknown (Waiting)

Interface intf5 (0.0.0.0): Unknown (Waiting)

The issue I have is threefold

1. If I power on the Primary PIX with no config, will the Secondary stay active without traffic interuption

2. If I do power on the Primary and all is well, can I send the config from the active Secondary to the failed Primary

3. If I do not power on the Primary, will the active Secondary, that is running the FO license, reboot after 24 hours, even if it recognises the Primary's state as powered off.

Thanks in advance

Paul

Labels:
0 Helpful
5 Replies 5

sachinraja
Level 9
Level 9

‎12-14-2006 06:28 PM

Hello paul,

please find the answers below:

1. If I power on the Primary PIX with no config, will the Secondary stay active without traffic interuption

Ans - Yes.. THe failover pix will remain primary and send traffic without traffic interruption. If you need to force the failover pix (which is primary now) to standby, u need to manually reboot it.. till that time, the failover pix acts as active and will continue forwarding traffic..

2. If I do power on the Primary and all is well, can I send the config from the active Secondary to the failed Primary

Ans - Use the command write standby to copy the configs to the failover unit...

3. If I do not power on the Primary, will the active Secondary, that is running the FO license, reboot after 24 hours, even if it recognises the Primary's state as powered off.

Ans - i dont think it will boot after 24 hours.. if you have a failover cable plugged and since it has already recognised a primary unit, it will remain stable. no issues in that

hope this helps.. all the best.. rate replies if found useful.

Raj

0 Helpful

bthibode
Level 1
Level 1
In response to sachinraja

‎12-14-2006 07:50 PM

Paul,

Do you know why your Primary lost its config? Also, you can restore the Primary to the Active role by issuing the failover active command, no need to reboot the secondary. You can find more information on the failover command here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1029143

Bryan

0 Helpful

PJWHITBY
Level 1
Level 1
In response to bthibode

‎12-14-2006 08:05 PM

I have no idea why it lost its config, unfortunately I am 3 timezones away from it.

Will the failed, currently powered off, Primary PIX with no config take the config from the active Secondary PIX when I power on the Primary PIX or will I need to issue any commands? Actually failing back to the Primary PIX is not a big issue, making sure that both PIX's have the same current config is the issue.

Thanks for your help and advice,

Paul

0 Helpful

bthibode
Level 1
Level 1
In response to PJWHITBY

‎12-14-2006 08:49 PM

The config should be transferred to the Primary unit on bootup. To be safe, copy the running config from the Secondary into a text editor before powering on the Primary.

If, by chance, the empty config from the Primary is sent to your secondary, paste the config from the text document into your Primary, then issue a write standby.

The Cisco doc on this states: The active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages "Sync Started" and "Sync Completed" appear on the primary console.

So, from this, I gather that the failover roles are not of importance in this case, only the failover states (active/standby). Since your Secondary unit is the Active, its config should be copied to your Primary (standby) unit.

I hope this goes well for you.

Bryan

PJWHITBY
Level 1
Level 1
In response to bthibode

‎12-19-2006 10:05 PM

yes, you were right.

I powered on the failed Primary with no config on it, issued the command failover on it and the Secondary active just sent across its config!

Thanks Bryan.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card